lemmy icon indicating copy to clipboard operation
lemmy copied to clipboard
verified publisher icon LemmyNet

Rate limit is applied even if login/registration failed

Open Nutomic opened this issue 9 months ago • 3 comments

Login and registration have a very low rate limit of 3 requests per hour. This can easily be hit by mistyping the login password three times in a row, or putting the wrong captcha on registration. Afterwards you only see ratelimit errors. To resolve this the rate limit should only be applied if the action was successful.

Also login is a relatively cheap action and can use a higher limit.

Nutomic avatar Mar 26 '25 12:03 Nutomic

We've had this issue before, and I thought we fixed it. It might just be easier to up that rate limit.

dessalines avatar Mar 27 '25 16:03 dessalines

Its not handled in the code, and would be tricky to add. Hopefully it can be done as part of https://github.com/LemmyNet/lemmy/issues/5550. Agree about increasing the rate limit especially for 0.19

Nutomic avatar Mar 28 '25 10:03 Nutomic

The login rate limit should not be significantly increased without implementing some kind of captcha requirement when too many logins failed in a row, otherwise that just allows for trying passwords until you find a working one. If captchas are to be implemented after a number of failed logins, keep in mind that there may be multiple lemmy_server processes responding to requests, which do not share the rate limit counts.

Nothing4You avatar Jun 02 '25 11:06 Nothing4You